Intelligent Spoofing a la Beagle/Bagle-A

In the news section at the head of this newsletter, you can see that a new virus named W32.Beagle.A@mm is included therein. It was discovered on January 18, 2004, and has made surprising inroads, spreading numerous infections, on many networks since it was first reported. Symantec rates this mass-mailing virus as a category 3, noting that the number of infections has been relatively high (500-999 reported as of 1/20/2004) and that its distribution is likewise high.

On Monday morning, the day after the virus was discovered I responded to this virus to a fellow information security professional, Mike Chapple (my co-author on our Sybex CISSP Study Guide for which we’re currently working on a second edition), not realizing that a bogus test message is how the virus propagates. Luckily for me, my Norton AV software detected and blocked the infected attachment, but I responded to Mike anyway thinking that the message was odd and might have been forged by somebody else.

Mike’s response to the e-mail after we both realized what was going on and did some homework, was that Beagle-A was the first case of what he called “intelligent spoofing” in a mass mailing virus. Beagle-A uses a harvested message for both the To: and From: fields in the e-mail messages it creates. In randomly choosing Mike’s name, it created a situation where automatic anti-spam screening wouldn’t stop an incoming message from reaching my inbox, because Mike’s e-mail address is explicitly allowed entry from a white list.

We’re also convinced that this phenomenon explains why so many people were infected by this virus, despite its rather simple-minded approach and its readily-detectable infected attachment. Familiar addresses may be harvested from address books belonging to individuals who know pairs of people who also know each other. Those pairs, though generated randomly by the virus, may represent real “e-mail associations” between people in the sense that, like Mike and myself, they will actually permit e-mail messages to flow between them (and in our case, we’ve got plenty of current and legitimate reasons to be sending each other e-mail, including test messages).

Had the virus been more destructive, or used some kind of automatic execution facility (as written, only people who receive and open the infected payload actually “catch” Beagle-A), I suspect it could have wreaked considerably more havoc than it did. Fortunately, up-to-date AV software can also deal with most such viruses as well, but this does open the interesting and frightening possibility that the technique could be used with much more destructive impact in the future. Not only is Beagle-A pretty innocuous, it also has a built-in expiration date of 1/28/2004 (it checks the system date, and won’t do anything once it goes past the expiration date).

Be sure to read up on this virus. You should find the following analyses useful and informative: